Chapter 2 Network Infrastructure and Cybersecurity Management |
| Article 4 | (Definition of Network Infrastructure)
- A network infrastructure enables an organization to consider business maintenance and operation and information and communication security more comprehensively when the organization is devising its business operation system and structure.
- A network diagram shall indicate the equipment of the network environment essential to the maintenance of business operation, such as firewalls, routers, switches, system equipment, wiring, servers and services, wireless networks. Relevant files and records shall be available of proposed network segments and routing, host address, and backup cables.
|
|
| Article 5 | (Network Segmentation)
- Work areas shall be divided and isolated by network segmentation to ensure network infrastructure security.
- For the purpose of maintaining business operation, the network shall be segmented into, for example, Delimitarised Zone (DMZ), Production (Prod.), Unit Test (UT) or User Acceptance Test (UAT), and others.
- An organization shall define the extranet and intranet. The extranet is connected to the Internet, while the intranet is a server-equipped area between personnel and internal services of the organization. Traffic from the extranet to the intranet is subject to access control and is restricted to official use by organizational personnel or approved use by information service providers. This is to prevent unauthorized services from entering..
- Segregation by a virtual local area network, or VLAN, is advised for intranet segments of an organization. The intranet may be segmented according to the internal units, departments, business natures, etc. of the organization, with restrictions imposed on access among different VLANs.
- An organization shall isolate services whose access is restricted and specific services by appropriate means. Information personnel shall, depending on the way of segregation, review the firewall rules or access control list (ACL) periodically.
|
|
| Article 6 | (Network Equipment Protection Standards)
- An organization shall avoid using end-of-service (EOS) or end-of-life (EOL) network equipment and devise replacement related plans with regard to such equipment.
- An organization shall check for official releases of updates to software, firmware, vulnerability remediation programs and, upon evaluation, update network equipment to the current version or the supplier proposed version.
- An organization shall implement identity verification when it performs remote maintenance of the system through connection by the Internet to the intranet.
- The protection standards applicable to all the network equipment of an organization are governed by the Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets.
|
|
| Article 7 | (Wireless Networks)
- Security protocols in force as have been publicly ratified and containing no vulnerability shall apply to the protection of access to wireless networks which an organization makes available to internal personnel. These protocols should follow the organization's internal network management procedures and be restricted to official use by organizational personnel or approved use by information service providers.
- If an organization provides external wireless network access, its access protection should also use security protocols that are publicly ratified and contain no vulnerabilities.
- An organization shall formulate wireless network password rules to minimize the risk of cracking.
|
|
| Article 8 | (Access by External Equipment of the Intranet)
If an organization permits personnel or information service providers to use external equipment to access the intranet, it shall submit an application and inspect the security and authorization of the equipment and also restrict access.
|
|